A security vulnerability (CVE-2025-30066) has been identified in a widely used third-party GitHub Action, tj-actions/changed files. This security flaw exposes sensitive information, including valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.
The vulnerability has been patched in version 46.0.1, and users are urged to update immediately to protect their repositories and workflows.
What is tj-actions/changed-files?
tj-actions/changed-files is a popular GitHub Action that helps users track file modifications in pull requests and commits. It identifies changed files relative to a target branch, multiple branches, or specific commits, making it an essential tool for developers automating CI/CD workflows.
However, due to a recent supply chain compromise, attackers exploited a security weakness in this action, leading to potential information disclosure risks. The vulnerability was discovered by StepSecurity Harden-Runner and has since been addressed in the latest patch.
How Was the Action Compromised?
The compromise occurred between March 14 and March 15, 2025. Originally, versions v1 through v45.0.7 were safe, but a malicious actor modified these tags to point to commit 0e58ed8, which contained a harmful updateFeatures code. This modification allowed attackers to read action logs and potentially extract sensitive credentials.
Upon discovery, GitHub and the maintainer of tj-actions/changed-files took swift action to remove the compromised commit from all tags and branches. The issue was patched in version 46.0.1, and users are strongly advised to update immediately to prevent further exploitation.
CISA Flags CVE-2025-30066
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-30066 to its Known Exploited Vulnerabilities Catalog, emphasizing the severity of this issue. CISA strongly urges organizations to follow recommended mitigation steps to enhance security when using third-party GitHub Actions.
Steps to Mitigate the Risk
Users who have used tj-actions/changed-files in their workflows between March 14 and March 15 should take the following steps:
1. Review Workflows for Suspicious Activity:
- Examine executed workflows during the affected period.
- Look for unexpected output in the changed files section.
- If anomalies are detected, decode them using:
echo 'xxx' | base64 -d | base64 -d- If the output contains sensitive credentials, immediately revoke and rotate those secrets.
2. Update to the Latest Version:
- If your workflows reference this action by SHA, update them immediately to avoid using the compromised commit.
- If using tagged versions (e.g., v35, v44.5.1), no action is required, as these tags have been updated to safe versions.
- The latest patched version is v46.0.1.
3. Rotate Any Potentially Exposed Secrets:
- As an added precaution, even if no suspicious activity is found, rotate secrets to ensure continued security.
4. Enhance Security Measures for Third-Party Actions:
- Regularly monitor security advisories for GitHub Actions.
- Consider implementing GitHub’s security features, such as Dependabot alerts and workflow permissions restrictions.
- Restrict third-party actions to trusted sources only.
The compromise of tj-actions/changed-files is a significant example of supply chain attacks targeting the open-source community. Since many developers and organizations rely on third-party GitHub Actions to automate processes, a single compromised dependency can have widespread consequences.
Key Risks Posed by CVE-2025-30066
- Exposure of Sensitive Credentials: Attackers could extract GitHub PATs, npm tokens, RSA private keys, and other credentials from compromised workflows.
- Potential for Unauthorized Access: Stolen credentials could be used to manipulate repositories, inject malicious code, or gain unauthorized access to systems.
- Wide-Scale Impact: Given the popularity of this action, organizations across different industries may be affected.
Lessons From the Attack
The tj-actions/changed-files incident serves as a wake-up call for organizations relying on third-party dependencies. To minimize risks, cybersecurity experts recommend:
- Regularly Audit Dependencies: Periodically review and update third-party actions and dependencies to reduce exposure to vulnerabilities.
- Enable GitHub’s Security Features: Features like Dependency Graph, Dependabot Alerts, and Secret Scanning can help detect security issues early.
- Restrict Workflow Permissions: Avoid giving excessive permissions to third-party actions. Use the principle of least privilege (PoLP).
- Implement Zero-Trust Principles: Treat every third-party tool with caution and verify its integrity before integrating it into workflows.
- Monitor Security Advisories: Subscribe to GitHub security advisories and CISA alerts to stay updated on potential threats.
Conclusion
The compromise of tj-actions/changed-files (CVE-2025-30066) is a critical security issue that underline the growing risks of supply chain attacks in software development. With GitHub Actions being widely used to automate processes, organizations must prioritize security by regularly updating dependencies, restricting permissions, and monitoring for vulnerabilities.
By following CISA’s recommendations and implementing proactive security measures, developers and organizations can mitigate the risk of similar attacks in the future.
